Ransomware is now one of the top security concerns for businesses and organizations of all sizes. The City of Atlanta was hit with a ransomware attack called SamSam in March, crippling some important departments like their court system, sewer infrastructure requests, and water billing department.
The attackers who deploy SamSam are known for clever, high-yield approaches. This, combined with the City’s lack of preparedness, explains why the infection was so debilitating.
Experts are telling us that SamSam will strike again. Unlike many forms of ransomware that spread via phishing attacks where individuals inadvertently invite the attack, SamSam exploits IT system vulnerabilities and cracks weak passwords. These ransomware attackers have made $1 million in less than six months.
Keeping all your systems patched, storing data in enterprise-based cloud backups, and having a ransomware preparedness plan can offer real protections against SamSam and other ransomware infections.
Unfortunately, ransomware attacks are on the rise, and as hackers use more sophisticated encryption technology, the threat is constantly evolving. According to malware security firm Barkly, a company is hit with a ransomware attack every 40 seconds. They also identified ransomware as the most prevalent form of malware, with “4.3x new ransomware variants in Q1 2017 than in Q1 2016.”
This eBook details how dangerous ransomware is, how it could harm your business, and what you should do to protect your data.
Ransomware is a type of malicious software (malware) that blocks access to a computer that infects, locks or takes control of a system and demands a ransom to unlock it. It’s also referred to as a crypto-virus, crypto-Trojan or crypto-worm. It then threatens that your data will be gone forever if you don’t pay using a form of anonymous online currency such as Bitcoin.
Most forms of ransomware are spread via spam using unsolicited phishing email or an attachment. Phishing attacks use emails disguised to look like they’re from someone you know and are more likely to trust.
Some ransomware-based applications disguise themselves as police or a government agency, claiming that your system is being locked down for security reasons and that a fine or fee is required to reactivate it. Then it typically asks you to click on a link or attachment to perform a routine task such as updating records or account details. If you do this, a worm or malware is downloaded, infects your system and locks it by encrypting your files.
Ransomware, like SamSam, can also infect your IT system using vulnerabilities in your computer’s browser. It does this when you click on a malicious code hidden in online ads or free software.
Ransomware targets small to medium-sized businesses because they are particularly vulnerable due to limited IT resources. They are also more likely to pay the ransom in the hopes that they’ll get access to their data, although the FBI warns that this isn’t necessarily so.
“Paying a ransom doesn’t guarantee an organization that it will get its data back—we’ve seen cases where organizations never got a decryption key after having paid the ransom. Paying a ransom not only emboldens current cybercriminals to target more organizations, but it also offers an incentive for other criminals to get involved in this type of illegal activity. And finally, by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”
Paying the ransom only guarantees that the malicious actors receive your money, and possibly even banking information. Also, decrypting files does not mean the malware infection itself has been removed.
No one is immune.
The lack of awareness and cybersecurity training is a leading cause of ransomware.
Ransomware comes in many different forms, but essentially, it’s a type of malware that denies access to your computer devices unless you pay a ransom. The ransomware malware encrypts your data. Once it does this, it can travel throughout your network and encrypt other mapped and unmapped network drives. Because of this, it can bring your organization to a halt.
The ever-evolving nature of these threats makes ransomware very difficult to keep track of. Ransomware-as-a-Service (RaaS) makes it easy for cybercriminals to set up a lucrative hacking scheme. It is provided as a vendor platform on the Dark Web. Unlawful vendors offer hackers and criminals a tool to use to lock down computer files, information or systems and hold them hostage.
Bad Rabbit: Bad Rabbit has infected organizations in Russia and Eastern Europe and is spreading throughout the world. It does this via a fake Adobe Flash update on compromised websites. When the ransomware infects a machine, users are directed to a payment page demanding .05 bitcoin (about $285).
Cerber: This ransomware encrypts your files using AES encryption and demands a ransom of 1.24 bitcoins (worth $500). It communicates via a text-to-speech voice message, a recording, a web page, or a plain text document. There’s no way to decrypt files that are encrypted by Cerber unless you pay the ransom.
Cryptolocker: CryptoLocker infects computers that run Microsoft Windows. Like other forms of ransomware, you must pay the hackers to decrypt and recover your files. CryptoLocker spreads via fake emails (phishing) designed to mimic legitimate businesses.
CryptoWall: This form of ransomware has been around since 2014, but new variants are still circulating, including CryptoBit, CryptoDefense, CryptoWall 2.0, and CryptoWall 3.0. Like CryptoLocker, CryptoWall is distributed by spam or exploit kits.
CryptXXX: CryptXXX used additional capabilities including network-share encryption. This means that even if you can decrypt your files, it can still cause significant downtime by encrypting files on your network shares.
Lockscreen: This form of ransomware isn’t new and has been in use for quite a while. It attacks Android devices. However, now there’s a new version that is more powerful and much more resilient. It used to lock your screen using a hardcoded passcode, but with the right code, you could unlock your device. Today the new version is impossible to reverse-engineer the passcode since it uses pseudorandom passcodes. Because of this, you can’t unlock your device and must pay the ransom.
Locky: If your computers are infected by Locky, it will rename all of your important files and prevent you from opening them. It does this through encryption and using the file extension–locky. Now, only the cybercriminals have the decryption key, and you must purchase it from them to retrieve your files. To do this, you have to go to the Dark Web and pay $400+ in Bitcoin.
NotPetya: This is a strain of Petya and was first seen in 2016. Today, experts believe NotPetya’s sole purpose is to destroy data instead of obtaining a ransom.
Petya: Petya is especially dangerous because it encrypts entire computer systems, and overwrites the master boot record, so you can’t reboot your operating system.
Spider: Spreads via spam emails. It’s hidden in Microsoft Word documents and installs the ransomware on a computer when it’s downloaded. The Word document (typically disguised as a debt-collection notice) executes macros that encrypt your data.
TeslaCrypta: This uses an AES algorithm to encrypt files and is specifically designed to attack Adobe software vulnerabilities. TeslaCrypta installs itself in the Microsoft temp folder.
TorrentLocker: TorrentLocker spreads via spam email campaigns and targets specific geographic regions. It also uses the AES algorithm to encrypt files. It collects email addresses from your address book to spread malware to your business contacts, friends and family members.
WannaCry: WannaCry has hit over 125,000 organizations in over 150 countries. It currently affects Windows machines through a Microsoft exploit known as EternalBlue.
WannaCrypt: This computer attack began locking down data on May 12, 2017. It affects Microsoft Windows Operating systems. WannaCrypt encrypts all the data in on your computer and holds it hostage.
ZCryptor: This form of ransomware uses a worm-like tactic to self-propagate and encrypt files and external drives so that it can attack other computers.
Ransomware attacks are increasing, and so are the ransoms to recover your data.
You’ll know when ransomware infects your computer because the hackers display a message telling you how much to pay to unlock your files. These ransoms typically run in the $300-$500 range. But, some businesses are having to pay upwards of $1,000 per computer. If you have 25 computers that are infected, that’s $25,000.